Hi,
Usually in production environments we don’t want to use the properties files to place the username and password of different users. So in that case we have different options to tell JBoss AS7 on how to Authenticate and Authorize different users and where to store the username and password informations in more secured fashion.

In this example we are going to see how we can use the Active Directory Authentication in order to perform logging in a deployed web applications. This can be achieved using the “org.jboss.security.auth.spi.LdapExtLoginModule”.
Make sure that your Windows Active Directory is configured properly, for any issues related to Active Directory contact your Active Directory Administrator.

NOTE: In Above case the Active Directory address is “ldap://10.10.10.10:389” and a user created in the Active Directory as “abc@mydomain.com” with password “User@Password1”. This user “abc@mydomain.com” is a member of group “Administrators”. (These details can be retrieved from the Active directory administrator)NOTE: A relative path of the properties file also can be used in the above section rather than using hard coded absolute path
<module-option name=”rolesProperties” value=”/home/userone/jboss-as-7.0.1.Final/standalone/configuration/test-roles.properties”/ >
OR
<module-option name=”rolesProperties” value=”../standalone/configuration/test-roles.properties”/>

Step-2). As “org.jboss.security.auth.spi.LdapExtLoginModule” requires “com.sun.jndi.ldap.LdapCtxFactory” class, so we need to make sure that we add the global module in “/home/userone/jboss-as-7.0.1.Final/standalone/standalone.xml” sothat the Jar which contains the above class will be added in the classpath. So in order to do that edit the following tag present inside the standalone.xml file as following to add the SUN APIs in the global module section:

Step-4). Create a file “test-roles.properties” inside “/home/userone/jboss-as-7.0.1.Final/standalone/configuration/” directory like following

Administrators=TestRole

Step-5). Now you can restart your server and then try accessing your web application by passing the credentials as username “abc@mydomain.com” and password as “User@Password1”.

NOTE: If you are facing any issue or authentication failure then please enable the following category in your “/home/userone/jboss-as-7.0.1.Final/standalone/configuration/standalone.xml” file to get TRACE level informations related to security ….then check the “server.log” to find out why the authentication is failing :

NOTE: If you face any exception or error while user authentication and if you are not able to findout the root cause of this failure then in Step1). you need to add the following module-option as well to see where exactly the it is failing:

3 Comments for this entry

one question, can we externalize the active directory configuration out of standalone.xml and possibly include it as some other xml configuration so that it can be included in my deployment? Basically, so I can configure it at build time based on my build environment(developmet, test etc)

i have understood what you have done exactly,but i wan a take bindCredential from user instead of hardcoding… i mean i have one login page with username and password.when i enter the password that value should be taken for bindCredential.

Cool, but it would be great if there is an article with the artifacts to download instructing how to do witha Role Mapping also inside Active Directory or LDAP. The actual example shows the roles inside a property file.